with access to traffic it was known which device was communicating a contagion.
The essential operation of the official application to help prevent the spread of the coronavirus, Radar COVID, is as follows: a user is positive, receives a code from the health authorities and enters it in the service.
This data is then used by the application to send the information to the server that enables the machinery that explains the usefulness of the application to start up. That is, the notifications that anonymously receive the possible close contacts that the infected person has had in the last 14 days.
Someone with access to the traffic, perhaps the most difficult thing to achieve, could identify a device that communicates a positive
All this with the promise that these processes are done anonymously. Something that would not have been completely like that for some time, according to El País and can be deduced from the update of the application on October 9.
An eye-opening traffic
The process for reporting a positive, which we explained at the beginning, is practically identical in most tracking applications of this type. The differential point of the Spanish case compared to others, explains the newspaper of the Prisa group, is that the traffic that occurs when the code that demonstrates that the user has been infected is revealing. It has a certain size and, in addition, it is directed to a certain machine.
While other European tracking applications simulate bogus traffic from random mobile devices in order that the presence of traffic is not necessarily synonymous with a real positive as specified by the DP3T protocol, Radar COVID did not start doing this until October 9. This means that someone with access to traffic, perhaps the most difficult to achieve, could identify a device that communicates a positive because from them that information would have been sent to the server.
As there is no fictitious traffic, monitoring the type of traffic that causes the communication of a positive could identify which device has carried it out
Amazon could have verified this because the upload to the server is done with a company program, says El País, as well as any other agent that could have been listening to that particular traffic on internet networks of a different type. Traffic that, on the other hand, it is encrypted and does not identify the positive person who has communicated it. With the vulnerability, in the event that it had been successfully exploited, the device would be identified and not who is behind it, as the journalistic information published this Thursday erroneously assures. Remember that the application does not identify the owner of the device that installs it in any way.
The problem was revealed on September 28 and confirmed in the last hours as “possible vulnerability” by sources from the Secretary of State for Artificial Intelligence, responsible for Radar COVID, to the newspaper.
The problem that has already been solved has not been made public, as government sources have explained to ‘El País’, because there is no evidence of a violation of said data
They have also communicated to the Spanish Data Protection Agency in accordance with public information, in compliance with the General Data Protection Regulation of the European Union. As there is no evidence of a violation of the security of personal data, government sources explain to the newspaper, it is not appropriate to make the vulnerability public as established in article 33 of the regulation that seeks to avoid the concealment of cyberattacks by forcing them to be communicated within 72 hours.
Sources from the Secretary of State for Artificial Intelligence, asked by SamaGame, they do not consider it to be a security breach as it has not been exploited and has a limited scope. In addition, they emphasize that it was solved and that the application code takes time to be available to the public so that it can be examined.